Hardware Security Keys: A Seatbelt for the Internet?—Cyber Saturday

The CEO and founder of Yubico, a startup that designs online account-securing fobs, says as much as she enthusiastically slaps a package on a table at Fortune’s offices. Inside the plastic container: Her latest product. It’s the first Lightning-port compatible hardware security key. Translation: the first security fob that works with Apple’s latest iPhones, generations 5 and later.

Hardware security keys come highly recommended by security experts. They offer an additional layer of protection—a second-factor, in the parlance—over passwords alone. They’re generally more secure than sending a one-time code to your phone, or using a random number generating application to produce the codes. Services such as Twitter, Facebook, and Dropbox support the keys.

Before one dismisses the notion—why am I going to stick this dongle into my phone every time I want to log into one of my accounts?—Stina anticipates the objection. You only have to stick in the key every so often. Google lets you have a 30-day grace period. Other services give you more leniency. Besides: What’s a minor inconvenience for so much peace of mind?

In calling her invention a seatbelt, Ehrensvärd is hearkening back to decades-old innovations at Volvo. In 1959, Nils Bohlin, an engineer at the carmaker, created the three-point seatbelt, which became the standard for safety across the auto industry. Instead of filing patents and keeping the life-saving design proprietary, Volvo chose to evangelize the innovation. Ehrensvärd, who is, coincidentally, also Swedish, aims to do the same with her invention.

“Even if you don’t write about Yubico, you should promote this standard,” Ehrensvärd implores. She refers to WebAuthn, an open authentication standard that enables all this technology to work. She wants to raise awareness about the protocol so that more big tech companies roll it out. Apple only recently began adding compatibility after the World Wide Web Consortium, or W3C, an Internet standards body, gave its blessing to the tech. (You can test the keys out on the beta, or experimental, version of Apple’s web browser Safari.)

Some security keys work without physical touch—no sticking keys in any ports. Instead, they use “near-field communication” or Bluetooth, two wireless telecom standards, to exchange authentication data. But Yubico won’t touch Bluetooth, for fear of security issues, and Apple has so far refused to let outsiders tap into its NFC capability. So, no contactless YubiKeys for iPhone.

In considering this (hopefully temporary) impasse between Yubico and Apple, one might do well to remember that it wasn’t the invention of the seatbelt that saved so many lives, but the convenience of the three-point strap design that Volvo’s Bohlin pioneered. If and when Apple buckles up and lets companies like Yubico tap into NFC, as Google has long enabled on Android, we’ll see real progress.

THREATS

Poison in the well. Last week Google’s elite Project Zero hacking team revealed details on 14 alarming iPhone vulnerabilities it discovered hackers to be exploiting in the wild for as long as two years. At the time they were discovered, the bugs affected iOS versions 10 through 12, Apple’s latest phone software. Apple released patches; to protect yourself, make sure your iPhone software is up to date.

The contagion spreads. Following Google’s iPhone vulnerability disclosure, TechCrunch reported that the referenced hackers were (likely) Chinese state sponsored actors targeting Uyghurs, an ethnic minority group. Forbes then reported that the hackers were also targeting Google Android and Microsoft Windows. Apple acknowledged that Uyghurs were targeted, but it has also disputed some of Google’s claims. This is a convoluted story that continues to develop…

Sharif don’t like it. A U.S. cyber operation conducted wiped a database used by Iran militants to target oil tankers in the Persian Gulf, the New York Times reports. The June 20th strike followed Iran shooting down an American drone. The alleged data destruction demonstrates how U.S. Cyber Command is upping its retaliatory tactics in cyberspace.

Si vis pacem, para bellum. NATO is opening a new cyber operations center in Mons, Belgium. In a statement about the news, Secretary General Jens Stoltenberg reaffirmed the group’s commitment to collective defense, specifically relating to cyberwar. “A serious cyberattack could trigger Article 5 of our founding treaty,” Stoltenberg writes, meaning “an attack against one ally is treated as an attack against all.”

iPhone? More like “iPwn.” Zerodium, a broker that buys phone-busting software tools from hackers and resells them to government and law enforcement agencies, is for the first time paying more for Android exploits than iPhone ones. Some security experts think Apple is having a bad year security-wise.

Hacks, leaks, and breaches. A server containing 419 million Facebook records, including people’s phone numbers, was found to be exposed to the Internet. Hostinger, a website hosting company, forced a password reset for customers after someone gained access to a database containing information on 14 million customers. The forums of XKCD, the humorous web comics site, were breached, exposing information on more than 560,000 people. Actress Chloë Moretz’s Twitter account apparently got hacked.

“Astronaut accused of hacking former spouse’s bank account from space“

ACCESS GRANTED

Cliff-hanging chad. The following excerpt is from a piece of speculative fiction penned by Alex Stamos, the former chief security officer of Facebook. In it, he imagines what horrors could befall the 2020 U.S. presidential election as a result of cybersecurity vulnerabilities, social media disinformation, and other systemic issues. To reiterate, the story, published on the national security blog Lawfare, is fictional…but it reads all too real.